Identified as CVE-2020-16009, the zero-day was discovered by Google's Threat Analysis Group (TAG), a security team at Google tasked with tracking threat actors and their ongoing operations.
In typical Google fashion, details about the zero-day and the group exploiting the bug have not been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day.
Chrome users are advised to update their browser to version 86.0.4240.183 or later.
Second zero-day in two weeks
This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks.
The Chrome zero-day was used to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code's privileges and attack the underlying Windows OS. Microsoft is expected to patch this zero-day on November 10, during the company's next Patch Tuesday.
Google didn't clarify if these two zero-days were abused by the same threat actor.
Update: Third zero-day also disclosed
Five hours after this article went live, Google also released patches for a third zero-day.
Tracked as CVE-2020-16010, this zero-day is a heap buffer overflow vulnerability in the Chrome for Android user interface (UI) component, and users can protect themselves by updating Chrome for Android to version 86.0.4240.185.